On 5/7/07, Dan Lynch wrote:
> I'm looking for opinions on internal enterprise network firewalling. Our
> environment is almost exclusively Microsoft Active Directory-based.
> There are general purpose file servers, AD domain controllers, SMS
> servers, Exchange servers, and MS-SQL-based datase app servers. In all
> about 80+ servers for over 2500 users on about 2000 client machines, all
> running Windows XP.
> How prevalent is it to segregate internal use servers away from internal
> clients behind firewalls? What benefits might we gain from the practice?

It's common to isolate production servers from development and from
users, or even to isolate servers from other servers. Aside from the
obvious, having a strict "that which is not explicitly permitted is
denied" policy ensures that new services just don't appear out of the
blue without some formal process and approval. Also valuable to take
into account is that the policy should not only restrict what is
permitted inbound towards servers, but what is permitted out from the
servers towards other internal segments, and towards the Internet.

I've also dealt with sites where the server admins convinced
management that a strong policy was too much of a hardship, and that
the firewall group should instead be required to implement a
"negative" policy, of only blocking the bad staff. This was a

If the company is not going to be willing to implement a strong
"positive" firewall policy, then your needs might be better served by
installing NIDS.

> What threats are we protected from?

Nachi, Welchia, SQL-Slammer, Joe in accounts-payable, etc.

In a pure Microsoft monoculture, you have to consider not only the
obvious risk of an epidemic due to a fast-spreading worm, but also
that uniform system administration can mean uniform exposure when an
administrator's password is compromised.

firewall-wizards mailing list